Strategy: Stop SQL Injection

Brad Causey07/01/11

Don’t Let Thieves in Through Your Web Apps

SQL injection continues to be one of the primary methods by which attackers exploit vulnerable Web applications and gain access to critical corporate databases. These attacks strike various types of infrastructures and software platforms; sometimes they are launched from inside the corporate network, but more typically external attackers use globally accessible Web applications as entry points. In March, for example, hundreds of thousands of sites were compromised by a SQL injection worm. What all these attacks have in common is that they rely on structured data, stored in a relational database in a multitier application structure.

This is the menace of SQL injection; the first step to countering the threat is to understand it. In this report, we explain how attackers use this ubiquitous method to exploit Web applications—in some cases, even when they don’t know the nature of the vulnerabilities they are exploiting. We also demonstrate some basic ways to protect your apps and critical business databases against SQL injection.